Forum Discussion

Wasfi_Bounni's avatar
Wasfi_Bounni
Icon for Cirrocumulus rankCirrocumulus
Sep 24, 2023

Is the update and application of new AWAF attack signatures "Service Affecting"?

Hi;

Is the update and application of new AWAF or ASM attack signatures "Service Affecting"? Also does applying the new attack signatures entail a reboot of the device?

Kindly

Wasfi

  • Hi Wasfi_Bounni , 
    Yes , it may impcat you. 

    and not it depends : 

    1. you want to enforce signtaures immediately. ( may impact you and produce false positives ) 
    2. you can keep these signature under learning for a while ( Readness period "default 7 days" ) 

    Open ( Security >> Application security >> Learning and blocking settinngs >>> Attack signatures ) 

    - If you want to enforce it directley : 
    open this : 

     

    Make sure ( you're selecting enforce updated rule immediately ...... ). 
    >>> by doing this all newly updated signature will be enforced directly. 

    - If you want to keep updated signature for a while and in learning and after checking your learning suggestion to take your decision : 

    modify your configuration like this : 



    >>> performing this shoud put your newly signatures in statging waiting the ( Readness period to be fininshed ) to be ready to be enforced and you will work on parallel on learning suggestions ( Accept / delete suggestions ) based on your analysis in suggestions collected from requests samples. 

    I hope this helps you 🙂 

  • Hi Wasfi_Bounni , 
    Yes , it may impcat you. 

    and not it depends : 

    1. you want to enforce signtaures immediately. ( may impact you and produce false positives ) 
    2. you can keep these signature under learning for a while ( Readness period "default 7 days" ) 

    Open ( Security >> Application security >> Learning and blocking settinngs >>> Attack signatures ) 

    - If you want to enforce it directley : 
    open this : 

     

    Make sure ( you're selecting enforce updated rule immediately ...... ). 
    >>> by doing this all newly updated signature will be enforced directly. 

    - If you want to keep updated signature for a while and in learning and after checking your learning suggestion to take your decision : 

    modify your configuration like this : 



    >>> performing this shoud put your newly signatures in statging waiting the ( Readness period to be fininshed ) to be ready to be enforced and you will work on parallel on learning suggestions ( Accept / delete suggestions ) based on your analysis in suggestions collected from requests samples. 

    I hope this helps you 🙂 

  • It depends what you mean with "service affecting" ... as to your second question, it wont reboot the device and it will also not restart BIG-IP services or such causing general traffic interuptions.

    as Mohamed explains it might affect your service if a false positive occurs in the new signatures and they are applied in blocking mode. this is always a tricky choice, perhaps some interuption but auto update. or long checking and testing. your choice in the end.